› return to original page


Polar Cove’s Experience in Sarbanes-Oxley Sec. 404 – A Roadmap by Philip M. Cronin, CISSP

SOX has changed the landscape: The Sarbanes-Oxley Act (SOX) impacts directly on companies that are listed on the US stock exchanges, but it has standard setting implications for any company that may go pubic or that might be acquired by a public company. SOX rules impact heavily on IT assessment itself as well as on management oversight of all IT control systems that support external financial disclosures. Under SOX, a company’s external auditor must now provide annual opinions about the reliability of the IT control representations made by a company’s CEO and CFO. Simply put, CEO’s and CFO’s must demonstrate sound and persuasive bases for their representations about information control.

The new landscape is still being developed. Tens of thousands of pages have been written about SOX implications and interpretations and importantly, the specific implementation requirements of the various enforcement agencies, including the SEC who is charged with applying these new laws.

SOX Sections 302 and 404 have created radical, ongoing, and comprehensive compliance obligations. In regulatory environments, requirements do not tend to diminish. Companies must look at their current 404 compliance practices, and they should prudently establish a plan for managing their risks.

There are new risks: Other than non-compliance with SOX, the greatest risk for senior managers is not understanding the critical areas, and then doing either too much or too little. Companies must find specific, relevant, practical approaches to compliance with this legislation. The risks of non-compliance are high, and the unpleasant results are comparable to any other failure to meet acceptable financial standards. Polar Cove, with its experience in SOX sections 404 provides practical, cost effective direction for companies that want to comply with these new rules.

Getting ready for Sarbanes-Oxley compliance is a challenging task. There are many preparatory steps, including identifying all significant financial statement accounts, mapping the processes and systems that support them, and documenting and testing those processes and systems. At its best, the preparations will illustrate that the assessment process aligns with a series of steps and activities that meet PCAOB rules. This process is significantly different from traditional IT responsibilities and needs to be independent of straightforward IT activities. (Fig.1)

Management is responsible: Management is required to assess the design and effectiveness of its internal control over financial reporting and must provide an assertion to that effect in the published financial statements.

Moreover, the company’s external auditors are required to express an opinion about management’s assessment – plus the auditors’ own opinion on the company’s internal controls. In order to test management’s assertions and to develop opinions, the auditor must perform a walkthrough of major classes of transactions for significant processes to understand process flows; assess the design and effectiveness of controls including application and IT general controls. Further; the auditor must evaluate the design effectiveness of IT controls to determine whether they are properly configured to achieve relevant assertions; and perform tests of the operating effectiveness of general IT controls that are necessary to achieve relevant assertions.

IT has defined roles in internal control of financial reporting: IT-intensive financial reporting areas that are impacted by SOX include:

  • Transaction Flow: The PCAOB rules are clear. Transactions flow demonstrably through the system, not around it.
  • Application Control: Each significant process over each major class of transactions affecting significant accounts or groups of accounts must be identified. The flow of transactions, including how transactions are initiated, authorized, recorded, processed, and reported has to be clarified. Moreover, weakness must be pointed out. This includes identifying the points within the process at which a misstatement – including a misstatement due to fraud – related to each relevant financial statement assertion could arise; enumerating the controls that management has implemented to address these potential misstatements and detailing the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets.
  • General IT Controls: SOX requires an evaluation of the company’s underlying or general computing control environment. In general, such controls include the “information technology general controls, on which other controls are dependent”. Controls that “have a pervasive effect on the achievement of many objectives” must be identified and tested. These “may include, for example: information technology general controls over program development, program changes, computer operations, and access to programs and data.”

COSO and COBIT both provide models for general computer controls: The PCAOB designates COSO as the prescribed standard control framework and has become the control framework of choice for SOX compliance. All five layers must be considered when evaluating internal control.

However, COSO does not provide specific guidance around IT control. CobiT, on the other hand, is a widely accepted IT control framework. CobiT provides four domains of IT control and CobiT controls address the five layers of COSO. With the development of this approach, organizations can be confident that they are taking an approach that reflects COSO requirements. (Fig. 2)

Polar Cove has expertise and extensive experience in IT Controls and Frameworks. Our certified professionals are familiar with all aspects of COSO and CobiT. As a consulting service, Polar Cove works with top management, helping to ensure that decisions about SOX compliance meet both the needs of each company and the requirements of SOX.

SOX Critical Section 404 IT Controls Area Requirements:

SOX auditors often focus on a subset of critical Sec. 404 IT Controls Area Requirements. These are areas where Polar Cove has extensive experience, including:

Security:

  • Application and platform based.
  • Focus on applications that may impact financials and supporting infrastructure.
  • Require secure operating systems, database, network, firewalls and infrastructure.
  • Look for excessive access; lack of segregation of duties; inadequate approval of access; test key processes to determine that they are effective.

Change Control:

  • Establish that procedures are in place to control and ensure proper approval of changes to production.
  • Define/develop the technical controls that will limit and sufficiently control developer access to production.

Disaster Recovery:

  • Focus on basic backup and recoverability of financial data.
    IT Governance:
  • Determining whether there are clear policies, procedures, and communications within IT
  • Evaluate clarity in segregations of duties?
  • Examine the “tone at the top” of the IT organization and determine whether it is appropriate.

Development And Implementation Activities:

  • Build in proper controls need to that need to be in place before a new system or system changes go into the production environment.
  • Evaluate new financial systems; including critical data conversion and testing.

Preparation, the SOX Readiness Roadmap:
Preparing for SOX 404 requires a structured and measured approach; otherwise an organization will find itself doing “too much” or “too little”. The current PCAOB rules require auditors to attest on “management assessment process”. As such, the readiness roadmap that Polar Cove clients follow will serve to demonstrate the assessment process through a series of steps and activities that align to the PCAOB rules and CobiT guidelines.

Step-by-Step Approach to SOX Compliance

1. Plan & Scope

  • Financial reporting process
  • Supporting system

2. Perform Risk Assessment

  • Probability & Impact to business
  • Size / complexity

3. Identify Significant Controls

  • Application controls - over initiating, recording, processing & reporting
  • IT General Controls

4. Document Controls

  • Policy manuals
  • Procedures
  • Narratives
  • Flowcharts
  • Configurations
  • Assessment questionnaires

5. Evaluate Control Design

  • Mitigates control risk to an acceptable level
  • Understood by users

6. Evaluate Operational Effectiveness

  • Internal audit
  • Technical testing
  • Self assessment
  • Inquiry
  • All locations and controls (annual)

7. Identify & Remediation of Deficiencies

  • Significant deficiencies
  • Material weakness
  • Remediation

8. Document Process & Results

  • Coordination with Auditors
  • Internal sign-off (302, 404)
  • Independent sign-off (404)

9. Build Sustainability

  • Internal evaluation
  • External evaluation



© 2006     Polar Cove